I'm building a small razor app which will be hosted on IIS with Windows Authentication.
The Application will query Active Directory roles and map them to application specific roles which will be added as a claim.
I have a written a custom authentication handler which has following code in it.
private static callCount = 0; //just for testing.
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
//IIS already populated context.User to be windows principal.
List<Claim> claims = new List<Claim>();
callCount++;
if (this.Context.User.IsInRole("SomeADRole"))
{
claims.Add(new Claim(ClaimTypes.Role, "SomeAppRole"));
}
claims.Add(new Claim("CallCount", callCount.ToString()));
foreach (var claim in claims)
{
this.Context.User.Identities.First().AddClaim(claim);
}
return await System.Threading.Tasks.Task.FromResult<AuthenticateResult>(
AuthenticateResult.Success(new AuthenticationTicket(this.Context.User, this.Scheme.Name)));
}
So the site loads fine. However, when I try to post data, it fails with 400 Bad Request even before it reaches the endpoint.
After extensive debugging/trial and error, I came to conclusion that it has to be with Antiforgery checks. Specifically, the changing value of "callCount" on every request seems to bother the Antiforger validation. If I don't change callcount value, things work fine.
Question:
- Is changing callCount the real issue? Are claim values also used in Antiforgery checks?
- Is the pattern I'm using to translate from Active Directory Roles to my Roles correct?
Tried many different variations of code and found the fix, but not sure if that is the root cause.